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THE NEED TO STRENGTHEN 
INFORMATION SECURITY AT THE 
DEPARTMENT OF HOMELAND SECURITY 


Thursday, April 14, 2005 

House of Representatives, 
Subcommittee on Management, 
Integration, and Oversight, 
Committee on Homeland Security, 

Washington, DC. 

The subcommittee met, pursuant to call, at 2:38 p.m., in Room 
210, Cannon House Office Building, Hon. Mike Rogers [chairman 
of the subcommittee] presiding. 

Present: Representatives Rogers, Cox, Reichert, Jackson-Lee, and 
Meek. 

Mr. Rogers. [Presiding.] The hearing will come to order. 

I would like to first welcome our witnesses today and thank them 
for taking the time out of their full schedules to be with us on such 
short notice. The purpose of today’s hearing is to review the defi- 
ciencies with the Department of Homeland Security’s current infor- 
mation security program and what steps need to be taken to im- 
prove the overall performance of this program. 

The Office of Management and Budget submitted a report dated 
March 1, 2005, to Congress on how well Federal agencies are doing 
in complying with the Federal Information Security Management 
Act of 2002, known as FISMA. Based on this report, last week, the 
Government Reform Committee, which is chaired by our colleague 
on this subcommittee. Congressman Tom Davis, issued its latest 
Federal Computer Security Report Card which gave a grade of Dh- 
to the whole government, but a grade of F to the Department of 
Homeland Security. 

While the report of the Office of Management and Budget recog- 
nized some information security improvements in the Department 
of Homeland Security, the Department received the same failing 
grade for 2004 that it received for the previous year. 

The Department clearly has many challenges facing it, both out- 
side and inside the area of information security. Given the special 
and unique mission of the Department to utilize sensitive informa- 
tion to protect our country, the area of information security is an 
area in which the Department should be a good example, not a 
poor one. The Department needs to do a better job protecting its 
own information systems while at the same time it protects the in- 
formation technology infrastructure of the United States against 
cyberterrorism. 


( 1 ) 
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The subcommittee recognizes the Department is implementing a 
number of initiatives to improve its information security. For exam- 
ple, the Department is working on a baseline inventory of all sys- 
tems that can currently be categorized as secure systems under 
FISMA guidelines. The Department is also aiming to complete cer- 
tification and accreditation of all these information systems by the 
end of Fiscal Year 2006. 

These are steps in the right direction, but the Department needs 
to do much more to improve its grade from an F. The changes that 
need to be implemented to maintain a high standard of information 
security will improve or involve a long-term commitment and sig- 
nificant effort by the Department and the many entities within the 
Department. They simply must work together to achieve the com- 
mon goal of department-wide information security. 

Now, this is no easy task, given that there are 22 legacy agen- 
cies, many of which brought with them their own IT systems. 
Today, we will discuss the importance of information security pro- 
grams and the status of implementation at the Department of 
Homeland Security. 

On our first panel, we will hear from a senior official with the 
Government Accountability Office about current deficiencies in the 
Department’s information security program and what more needs 
to be done to fix the problem. We also are pleased to have the De- 
partment’s Chief Information Officer on this panel to answer ques- 
tions that the Members may have today. 

Our second panel will include two experts on what the private 
sector is doing to secure information systems. Their insights on les- 
sons learned will be helpful as we evaluate what more the Depart- 
ment of Homeland Security needs to do to strengthen its own infor- 
mation security systems. 

I once again thank the witnesses for joining us today and look 
forward to their testimony on this important topic. 

And now I yield the floor to my friend and colleague from Flor- 
ida, Mr. Meek. 

Mr. Meek. Thank you very much, Mr. Chairman. 

I want to thank our witnesses for being here today. Over the 
past couple of months, high-profile invasions into computer systems 
of prominent data brokerage firms have — firms that have the trust 
of information security has been broken into, into the national 
spotlight. The invasions of ChoicePoint and LexisNexis database 
were not only descriptive, but also was wide-open to full-scale theft 
of identity theft. 

The citizens across the country of the United States are very, 
very concerned about these revelations that have taken place over 
recent days. I can tell you that many of the issues that we have 
to protect, not only in the department but also in the private sec- 
tor, has a lot to do with American life, commerce, education, gov- 
ernance, and of course, protecting our country. 

Imagine that the hijackers or terrorists looking to conceal their 
identities and the database that they infiltrated. They, also, as it 
relates to going into — if they were to also go into the Department 
of Homeland Security, US-VISIT, or Secure Flight program, a sin- 
gle government infiltration could be a disaster. 



3 


What protections do we have in place to assure that vital, not 
only secret, but tracking information, is actually secure? The Fed- 
eral Information Security Management Act, commonly referred to 
as FISMA, which was established in 2002, is supposed to assure 
that all government agencies establish and enforce policies that 
could keep information secured. FISMA requires federal agencies to 
secure, not only their information systems, but the information 
itself 

However, 3 years later, the federal government continues to lag 
behind the private sector in designing and implementing informa- 
tion systems. In fact, the House Government Reform Committee 
gave the federal government, which was mentioned earlier, a Dh- 
on security on the most recent federal computer security scorecard. 
Even though seven agencies received an F, the one given to the De- 
partment of Homeland Security for the second year in a row is es- 
pecially troubling. 

How can DHS fulfill its role in leading federal agencies in 
cybersecurity and also the private sector? Any compromise of that 
data would be a disaster. 

I look forward to hearing from our witnesses as it relates to how 
we can secure the homeland, not only from the department, but 
from also from the GAO. I am pretty sure that the findings in this 
hearing and as this committee moves forth in protecting the real 
sensitive information of protecting our country will be used — the 
information that we receive today will be used to protect future 
generations. 

So I look forward to the testimony. 

And, Mr. Chairman, I am glad that we were able to schedule this 
hearing to hear from these witnesses. 

Prepared Statement of the Honorable Bennie Thompson, a Representative 

IN Congress From the State of Mississippi, and Ranking Member, Com- 
mittee ON Homeland Security 

Thank you, Mr. Chairman; Ranking Member Meek. I am pleased to be meeting 
today to review the Department’s efforts to improve the security of its data and sys- 
tems under the Federal Information Security Management Act, or FISMA. 

The Department of Homeland Security is responsible for leading the Federal ef- 
fort to secure cyberspace. That is why it is essential that the Department have their 
data and systems security ’house’ in order. It is unacceptable that the leader of our 
Federal cybersecurity efforts received one of the lowest grades on the House Govern- 
ment Reform Committee’s 2004 report card on cyber security within federal agen- 
cies. The Department must lead by example — how can we expect the private sector 
to secure its data and systems if the government cannot secure its own. 

We have seen what happens when an entity fails to adequately protect the integ- 
rity of its data from inappropriate access. The results can be disastrous. 

For example, ChoicePoint had business system failures that resulted in the leak- 
ing of 145,000 records containing personal private information. Just two days ago, 
LexisNexis databases were hacked and the reported loss of data now affects ten 
times the number of consumers than originally thought. 

I look forward to today’s testimony on how the “real world” is implementing cyber 
security. 

Mr. Rogers. I thank the Ranking Member for that statement. 

I would also remind members that they can submit statements 
for the record over the next several days. 

The Chairman now calls the first panel and recognizes Mr. Greg 
Wilshusen, Director of Information Security Issues, GAO. 

And the Chair also acknowledges the appearance of Mr. Steven 
Cooper, Chief Information Officer for the Department of Homeland 
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Security, who is available to answer questions, but I recognize on 
such short notice was not able to put together a formal statement. 

We look forward to hearing your answers to questions. 

But, Greg, if you will go ahead and start, I would appreciate it. 

STATEMENT OF MR. GREGORY C. WILSHUSEN, DIRECTOR, 

INFORMATION SECURITY ISSUES, GOVERNMENT ACCOUNT- 
ABILITY OFFICE 

Mr. WiLSHUSEN. Mr. Chairman, Ranking Member, I am pleased 
to be here today to discuss the Department of Homeland Security’s 
efforts to implement the requirements of the Federal Information 
Security Management Act of 2002, or FISMA. 

This act requires the department to develop, document and im- 
plement an agency-wide information security program that pro- 
vides security for the information and information systems that 
support the operations and assets at the department, including 
those provided or managed by another agency or contractor. 

This program is to include eight components, such as periodic as- 
sessment of risk and periodic testing and evaluation of controls. 
FISMA also requires DHS and the inspector general to report each 
year on efforts to implement this program. 

Mr. Chairman, my bottom-line message today is that continued 
efforts are needed to sustain progress made by the department in 
implementing the requirements of FISMA. In my testimony today, 
I will note areas where the department has made progress and 
those areas where challenges remain. 

In its Fiscal Year 2004 report, the department noted that it con- 
tinued to make significant progress in implementing key informa- 
tion security requirements. For example, it reported that the per- 
centage of its information systems that have been certified and ac- 
credited rose 24 percent to 68 percent. 

System certification and accreditation is a process by which 
agency officials authorize systems to operate. It is to include a se- 
curity assessment of the management, operational, and technical 
security controls in the system. 

As another example, the percentage of employees and contractors 
who receive security awareness training increased 71 percentage 
points in the Fiscal Year 2004 to 85 percent overall. 

However, the department and the IG also reported several areas 
where implementing effective information security practices re- 
mains a challenge. For example, the IG assessed the quality of the 
department’s certification and accreditation process as poor. 

The IG noted that the process was not consistently performed 
across the department and there were instances where certified 
and accredited systems lacked key security documents, such as up- 
to-date security plans, a current risk assessment, and contingency 
plans. As a result, DHS performance data may not accurately re- 
flect the status of its efforts to implement this requirement. 

As another example, the department reported the 79 percent of 
its systems did not have a tested contingency plan. These plans 
provide specific instructions for restoring critical systems, business 
processes, and information in the event of a disruption of service. 

The testing of contingency plans is essential to determining 
whether the plans will function as intended. Without testing, agen- 
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cies can have only minimal assurance that they will he able to re- 
cover their mission-critical systems and processes in the event of 
an interruption. 

In addition, DHS faces other challenges in implementing FISMA 
requirements. The department is required to have a complete and 
accurate inventory of its major systems. However, DHS reported 
that it did not have a complete and accurate inventory in either 
Fiscal Year 2003 or 2004. Without reliable information on inven- 
tories, DHS and the Congress cannot be fully assured of the de- 
partment’s progress in implementing FISMA. 

FISMA also requires DHS to develop a process for planning, im- 
plementing and documenting remedial actions to address any defi- 
ciencies in its information security policies, procedures and prac- 
tices. However, in its 2004 FISMA report, the IG noted that the 
seven of nine major organizational elements lacked the documented 
plan of action and milestones. As a result, the IG could not verify 
that all IT security weaknesses were included in the plan. 

Mr. Chairman, this concludes my opening statement. I look for- 
ward to your questions. 

[The statement of Mr. Wilshusen follows:] 

United States Government Accountability Office 

INFORMATION SECURITY 

Department of Homeland Security Faces Challenges in Fulfilling Statutory 
Requirements 

Prepared Statement of Gregory C. Wilshusen, Director, Information 

Security Issues 

Mr. Chairman and Members of the Subcommittee: I am pleased to be here today 
to discuss efforts by the Department of Homeland Security (DHS) to implement re- 
quirements of the Federal Information Security Management Act of 2002 (FISMA). ^ 
For many years, we have reported that poor information security is a widespread 
problem that has potentially devastating consequences.^ Accordingly, since 1997, we 
have identified information security as a governmentwide high-risk issue in reports 
to Congress — most recently in January 2005.® Concerned with accounts of attacks 
on commercial systems via the Internet and reports of significant weaknesses in fed- 
eral computer systems that made them vulnerable to attack. Congress passed 
FISMA, which permanently authorized and strengthened the federal information se- 
curity program, evaluation, and reporting requirements established for federal agen- 
cies. Under FISMA, agencies are to report annually to the Office of Management 
and Budget (0MB) who issues guidance for that reporting. 

In my testimony today, I will summarize the reported status of DHS’s implemen- 
tation of FISMA, including areas of progress and continuing challenges. 

In conducting this review, we analyzed and summarized DHS’s fiscal year 2003 
and 2004 reports to Congress on FISMA implementation. We also reviewed and 
summarized the fiscal year 2004 FISMA reports for 24 of the largest federal agen- 
cies and their Inspectors General (IGs). In addition, we reviewed standards and 
guidance issued by Office of Management and Budget (0MB) and the National Insti- 
tute of Standards and Technology (NIST) pursuant to their FISMA responsibilities. 
Finally, we reviewed OMB’s 2004 report to Congress on the implementation of 
FISMA governmentwide.'^ We did not validate the accuracy of the data reported by 


^Federal Information Security Management Act of 2002, Title III, E-Government Act of 2002, 
Pub. L. No. 107-347, December 17, 2002. 

2 GAO, Informaton Security: Opportunities for Improved OMB Oversight of Agency Practices, 
GAO/AIMD-96-110 (Washington, D.C.: Sept. 24, 1996). 

®GAO, High-Risk Series: An Update, GAO— 05— 207 (Washington, D.C.: January, 2005). 

Office of Management and Budget, Federal Information Security Management Act (FISMA) 
2004 Report to Congress (Washington, D.C.: March 1, 2005). 
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DHS, the other 23 CFO agencies, or 0MB, but did analyze the IGs’ fiscal year 2004 
FISMA reports to identify any issues related to the accuracy of agency-reported in- 
formation. We performed our work from October 2004 to March 2005 in accordance 
with generally accepted government auditing standards. In addition, we continue to 
perform on-going work on DHS’s management of information security. 

Results in Brief 

DHS has made progress in implementing key federal information security require- 
ments, yet it continues to face challenges in fulfilling the requirements mandated 
by FISMA. In its fiscal year 2004 report on FISMA implementation, DHS highlights 
increases in the majority of the key performance measures (developed by 0MB to 
track agency performance in implementing information security requirements), such 
as the percentage of agency systems reviewed and percentage of employee and con- 
tractor personnel who received security awareness training. For example, DHS re- 
ported a substantial increase in the percentage of personnel that received security 
awareness training, rising from 14 percent in fiscal year 2003 to 85 percent in fiscal 
year 2004. However, DHS continues to face significant challenges in meeting most 
statutory information security requirements. For example, DHS has yet to develop 
a complete and accurate inventory or an effective remediation process. 

Background 

Since the early 1990s, increasing computer interconnectivity — most notably 
growth in the use of the Internet — has revolutionized the way that our government, 
our nation, and much of the world communicate and conduct business. While the 
benefits have been enormous, without proper safeguards, this widespread 
interconnectivity also poses significant risks to the government’s computer systems 
and, more importantly, to the critical operations and infrastructures they support. 

We recently reported that, while federal agencies showed improvement in address- 
ing information security, they also continued to have significant control weaknesses 
in federal computer systems that put federal operations and assets at risk of inad- 
vertent or deliberate misuse, financial information at risk of unauthorized modifica- 
tion or destruction, sensitive information at risk of inappropriate disclosure, and 
critical operations at the risk of disruption. The significance of these weaknesses led 
us to conclude in the audit of the federal government’s fiscal year 2004 financial 
statements® that information security was a material weakness.® Our audits also 
identified instances of similar types of weaknesses in non-financial systems. Weak- 
nesses continued to be reported in each of the six major areas of general controls — 
the policies, procedures, and technical controls that apply to all or a large segment 
of an entity’s information systems and help ensure their proper operation. 

To fully understand the significance of the weaknesses we identified, it is nec- 
essary to link them to the risks they present to federal operations and assets. Vir- 
tually all federal operations are supported by automated systems and electronic 
data, and agencies would find it difficult, if not impossible, to carry out their mis- 
sions and account for their resources without these information assets. Hence, the 
degree of risk caused by security weaknesses is high. The weaknesses identified 
place a broad array of federal operations and assets at risk. For example: 

• resources, such as federal payments and collections, could be lost or stolen; 

• computer resources could be used for unauthorized purposes or to launch at- 
tacks on others; 

• sensitive information, such as taxpayer data, social security records, medical 
records, and proprietary business information could be inappropriately dis- 
closed, browsed, or copied for purposes of industrial espionage or other types of 
crime; 

• critical operations, such as those supporting national defense and emergency 
services, could be disrupted; 

• data could be modified or destroyed for purposes of fraud, identity theft, or 
disruption; and 

• agency missions could be undermined by embarrassing incidents that result 
in diminished confidence in their ability to conduct operations and fulfill their 
fiduciary responsibilities. 


®U.S. Department of the Treasury, 2004 Financial Report of the United States Government 
(Washington, D.C.; 2005). 

® A material weakness is a condition that precludes the entity’s internal control from providing 
reasonable assurance that misstatements, losses, or noncompliance material in relation to the 
financial statements or to stewardship information would be prevented or detected on a timely 
basis. 
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• Congress and the administration have established specific information secu- 
rity requirements in both law and policy to help protect the information and in- 
formation systems that support these critical operations and assets. 

FISMA Authorized and Strengthened Information Seeurity Requirements 

Enacted into law on December 17, 2002, as Title III of the E-Government Act of 
2002, FISMA authorized and strengthened information security program, evalua- 
tion, and reporting requirements. FISMA assigns specific responsibilities to agency 
heads, chief information officers, and IGs. It also assigns responsibilities to 0MB, 
which include developing and overseeing the implementation of policies, principles, 
standards, and guidelines on information security and reviewing at least annually, 
and approving or disapproving, agency information security programs. 

Overall, FISMA requires each agency to develop, document, and implement an 
agencywide information security program. This program should provide information 
security for the information and information systems that support the operations 
and assets of the agency, including those provided or managed by another agency, 
contractor, or other source. Specifically, this program is to include: 

• periodic assessments of the risk and magnitude of harm that could result 
from the unauthorized access, use, disclosure, disruption, modification, or de- 
struction of information or information systems; 

• risk-based policies and procedures that cost-effectively reduce information se- 
curity risks to an acceptable level and ensure that information security is ad- 
dressed throughout the life cycle of each information system; 

• subordinate plans for providing adequate information security for networks, 
facilities, and systems or groups of information systems; 

• security awareness training for agency personnel, including contractors and 
other users of information systems that support the operations and assets of the 
agency; 

• periodic testing and evaluation of the effectiveness of information security 
policies, procedures, and practices, performed with a frequency depending on 
risk, but no less than annually, and that includes testing of management, oper- 
ational, and technical controls for every system identified in the agency’s re- 
quired inventory of major information systems; 

• a process for planning, implementing, evaluating, and documenting remedial 
action to address any deficiencies in the information security policies, proce- 
dures, and practices of the agency; 

• procedures for detecting, reporting, and responding to security incidents; and 

• plans and procedures to ensure continuity of operations for information sys- 
tems that support the operations and assets of the agency. 

FISMA also established a requirement that each agency develop, maintain, and 
annually update an inventory of major information systems operated by the agency 
or that are under its control. This inventory is to include an identification of the 
interfaces between each system and all other systems or networks, including those 
not operated by or under the control of the agency. 

Each agency is also required to have an annual independent evaluation of its in- 
formation security program and practices, including control testing and compliance 
assessment. Evaluations of non-national security systems are to be performed by the 
agency IG or by an independent external auditor, while evaluations related to na- 
tional security systems are to be performed only by an entity designated by the 
agency head. 

The agencies are to report annually to 0MB, selected congressional committees, 
and the Comptroller General on the adequacy of information security policies, proce- 
dures, practices, and compliance with FISMA requirements. In addition, agency 
heads are required to make annual reports of the results of their independent eval- 
uations to 0MB. 0MB is also required to submit a report to Congress no later than 
March 1 of each year on agency compliance, including summary of the findings of 
agencies’ independent evaluations. 

Other major provisions require NIST to develop, for systems other than national 
security systems: (1) standards to be used by all agencies to categorize all their in- 
formation and information systems based on the objectives of providing appropriate 
levels of information security according to a range of risk levels; (2)guidelines recom- 
mending the types of information and information systems to be included in each 
category; and (3) minimum information security requirements for information and 
information systems in each category. NIST must also develop a definition and 
guidelines concerning detection and handling of information security incidents and 
guidelines, developed in conjunction with the Department of Defense (DOD) and the 
National Security Agency, for identifying an information system as a national secu- 
rity system. 
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OMB Reporting Instructions and Guidance Emphasize Performance Meas- 
ures 

Consistent with FISMA requirements, OMB issues guidance agencies on their an- 
nual reporting requirements. On August 23, 2004, OMB issued its fiscal year 2004 
reporting instructions. The reporting instructions, similar to the 2003 instructions, 
emphasize strong focus on performance measures and formatted these instructions 
to emphasize a quantitative response. OMB has developed performance measures in 
the following areas, including: 

• certification and accreditation,'^ 

• annual review of agency systems, 

• annual review of contractor operations or facilities, 

• annual security awareness training for employees and contractors, 

• annual specialized training for employees with significant security respon- 
sibilities, and 

• testing of contingency plans. 

Further, OMB provided instructions for continued agency reporting on the status 
of remediation efforts through plans of action and milestones. Required for all pro- 
grams and systems where an IT security weakness has been found, these plans list 
the weaknesses and show estimated resource needs or other challenges to resolving 
them, key milestones and completion dates, and the status of corrective actions. The 
plans are to be submitted twice a year. In addition, agencies are to submit quarterly 
updates that indicate the number of weaknesses for which corrective action was 
completed on time (including testing), is ongoing and on track to be completed as 
originally scheduled, or has been delayed, as well as the number of new weaknesses 
discovered since the last update. 

The IGs’ reports were to be based on the results of their independent evaluations, 
including work performed throughout the reporting period (such as financial state- 
ments or other audits). While OMB asked the IGs to respond to the same questions 
as the agencies, it also asked them to assess whether their agency had developed, 
implemented, and was managing an agencywide plan of actions and milestones. 
Further, OMB asked the IGs to assess the certification and accreditation process at 
their agencies. OMB did not request that the IGs validate agency responses to the 
performance measures. Instead, as part of their independent evaluations of a subset 
of agency systems, IGs were asked to assess the reliability of the data for those sys- 
tems that they evaluated. 

Recently-created Department of Homeland Security is Large and Complex 

In the aftermath of September 11, invigorating the nation’s homeland security 
missions became one of the federal government’s most significant challenges. The 
Homeland Security Act of 2002 created DHS, combining 22 agencies into one depart- 
ment. DHS, with an estimated 170,000 employees, is the third largest government 
agency. Not since the creation of DOD more than 50 years ago had the government 
sought an integration and transformation of this magnitude. 

GAO designated implementing and transforming DHS as high risk in 2003 be- 
cause DHS had to transform 22 agencies — several with major management chal- 
lenges — into one department, and failure to effectively address its management 
challenges and program risks could have serious consequences for our national secu- 
rity.® DHS combined 22 agencies specializing in various disciplines: law enforce- 
ment, border security, biological research, disaster mitigation, and computer secu- 
rity, for instance. Further, DHS oversees a number of non-homeland-security activi- 
ties, such as the Coast Guard’s marine safety responsibilities and the Federal Emer- 
gency Management Agency’s natural disaster response functions. 

DHS has lead responsibility for preventing terrorist attacks in the United States, 
reducing the vulnerability of the United States to terrorist attacks, and minimizing 
the damage and assisting in the recovery from attacks that do occur. DHS has five 
under secretaries with responsibility over directorates for management, science and 
technology, information analysis and infrastructure protection, border and transpor- 
tation security, and emergency preparedness and response. In addition, the depart- 
ment has four other organizations that report directly to the Secretary. 

DHS uses a variety of major applications and general support systems in support 
of operational and administrative requirements. In its 2004 FISMA report, DHS 
stated that it had 395 systems and 61 contractor operations. These systems often 


'^Certification is a comprehensive process of assessing the level of security risk, identifying 
security controls needed to reduce risk and maintain it at an acceptable level, documenting secu- 
rity controls in a security plan, and testing controls to ensure they operate as intended. Accredi- 
tation is a written decision by an agency management official authorizing operation of a par- 
ticular information system or group of systems. 

®GAO, High-Risk Series: An Update, GAO— 05— 207 (Washington, D.C.: January, 2005). 
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served specific organizations that are now merged with others, resulting in inter- 
operability issues, data management concerns, and incompatible environments or 
duplicative processes. 

Department of Homeland Security’s FISMA Reports Highlight Increases in 
Performance Measures, hut Challenges Remain 

In its FISMA-mandated report for fiscal year 2004, DHS generally reported in- 
creases in compliance with information security requirements as compared with 
2003. However, DHS continues to face significant challenges. The following key per- 
formance measures showed increased performance and/or continuing challenges: 

• percentage of systems certified and accredited; 

• percentage of agency systems reviewed annually; 

• percentage of contractor operations reviewed annually; 

• percentage of employees and contractors receiving annual security awareness 

training; 

• percentage of employees with significant security responsibilities receiving 

specialized security training annually; and 

• percentage of systems with contingency plans tested. 

Figure 1 illustrates the reported overall status of DHS in meeting these perform- 
ance measures and the changes between fiscal years 2003 and 2004. 
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Figure 1 : OHS Reported Data for Key Performance Measures 
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DMS has yet to develop a complete and accurate inventory, or an 
effective plan of action and milestones.® Finally, figure 2 illustrates 
how DHS compares to the govemmentwide results for the 
performance measures when compared to the aggregated data of all 
24 CFO agencies. 


“OMB’s implementing guidance refers lo the process of planning, implementing, evaluating, 
and documenting remedial actions to address any deficiencies in information security as a 
security plan of action and milestones. 
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Figure 2: Comparison of DHS Data to Governmentwide Performance 
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CertiUcation and Accreditation 

Included in OMB’s policy for federal information security is a 
requirement that agency management officials formally authorize 
their information systems to process information and, thereby, 
accept the risk associated with their operation. This management 
authorization (accreditation) is to be supported by a formal 
technical evaluation (certification) of the management, operational, 
and technical controls established in an information system’s 
security plan. In 2003, agencies were required to report separately 
on risk assessments and security plans. In 2004, 0MB eliminated 
this separate reporting in its guidance and directed agencies to 
complete risk assessments and security plans for the certification 
and accreditation process to be accomplished. As a result, the 
performance measure for certification and accreditation now also 
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reflects the level of agency compliance for risk assessments and security plans. For 
FISMA reporting, 0MB requires agencies to report the number of systems author- 
ized for processing after completing certification and accreditation. 

DHS reported a significant increase for this performance measure in its fiscal 
year 2004 report. The Department reported that approximately 68 percent of its sys- 
tems had been certified and accredited, an increase of 26 percent over fiscal year 
2003. Governmentwide, 77 percent of all systems were certified and accredited com- 
pared to the 68 percent at DHS. If agencies do not certify and accredit their sys- 
tems, they cannot be assured that risks have been identified and mitigated to an 
acceptable level. 

Moreover, the DHS IG reported in its 2004 FISMA report that the certification 
and accreditation process at the Department was poor. The report noted that the 
certification and accreditation process was not performed consistently across the De- 
partment. In addition, there were instances where certified and accredited systems 
lacked key security documentation such as up-to-date and approved security plans, 
a current risk assessment, and contingency plans. As a result, the agency reported 
performance data may not accurately reflect the status of DHS’s efforts to imple- 
ment this requirement. 

Annual Review of Agency Systems 

FISMA requires that agency information security programs include periodic test- 
ing and evaluation of the effectiveness of information security policies, procedures, 
and practices to be performed with a frequency that depends on risk, but no less 
than annually. This is to include testing of management, operational, and technical 
controls for every information system identified in the FISMA-required inventory of 
major systems. Periodically evaluating the effectiveness of security policies and con- 
trols and acting to address any identified weaknesses are fundamental activities 
that allow an organization to manage its information security risks cost effectively, 
rather than reacting to individual problems ad hoc only after a violation has been 
detected or an audit finding has been reported. Further, management control testing 
and evaluation as part of program reviews is an additional source of information 
that can be considered along with control testing and evaluation in IG and GAO au- 
dits to help provide a more complete picture of the agencies’ security postures. As 
a performance measure for this requirement, 0MB requires that agencies report the 
number of systems that they have reviewed during the year. 

DHS reported performing an annual review on an increased percentage of its sys- 
tems. It reported in 2004 that it had reviewed 54 percent of its systems, as com- 
pared to 44 percent in 2003. In 2004, 23 of the 24 CFO agencies reported that they 
had reviewed 90 percent or more of their systems. Annual security testing helps to 
provide assurance to the agencies that security controls are in place and functioning 
correctly. Without such testing, agencies cannot be assured that their information 
and systems are protected. 

Annual Review of Contractor Operations 

Under FISMA, agency heads are responsible for providing information security 
protections for information collected or maintained by or on behalf of the agency and 
information systems used or operated by an agency or by a contractor. Thus, agency 
information security programs apply to all organizations that possess or use federal 
information or that operate, use, or have access to federal information systems on 
behalf of a federal agency. Other such organizations may include contractors, grant- 
ees, state and local governments, and industry partners. This underscores long- 
standing 0MB policy concerning sharing government information and inter- 
connecting systems: federal security requirements continue to apply and the agency 
is responsible for ensuring appropriate security controls. 

At DHS, the key performance measure of annually reviewing contractor oper- 
ations showed a minor decrease from 73 percent in 2003 to 67 percent in 2004. 
Twenty of the Department’s contractor operations were not reviewed. The govern- 
mentwide performance measure was reported as 83 percent of all contractor oper- 
ations reviewed. If agencies do not review contractor operations, they cannot be as- 
sured that federal data is being handled in accordance with agency requirements. 

Security Awareness Training 

FISMA requires agencies to provide security awareness training to inform per- 
sonnel, including contractors and other users of information systems that support 
the operations and assets of the agency, of information security risks associated 
with their activities, and the agency’s responsibilities in complying with policies and 
procedures designed to reduce these risks. Our studies of best practices at leading 
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organizations have shown that such organizations took steps to ensure that per- 
sonnel involved in various aspects of their information security programs had the 
skills and knowledge they needed. Agencies reported that they provided security 
awareness training to the majority of their employees and contractors. As perform- 
ance measures for FISMA training requirements, 0MB has the agencies report the 
number of employees and contractors who received IT security training during fiscal 
year 2004. 

DHS reported a substantial increase in the percentage of employees and contrac- 
tors who received security awareness training in fiscal year 2004. The Department 
reported that it had trained 85 percent of its staff compared to 14 percent in 2003. 
As a result, reported performance is comparable to the majority of agencies in this 
performance measure, as seventeen agencies reported that they had trained more 
than 90 percent of their employees and contractors in basic security awareness. 

Specialized Security Training 

Under FISMA, agencies are required to provide training in information security 
to personnel with significant security responsibilities. As previously noted, our study 
of best practices at leading organizations has shown that such organizations recog- 
nized that staff expertise needed to be updated frequently to keep security employ- 
ees updated on changes in threats, vulnerabilities, software, security techniques, 
and security monitoring tools. 0MB directs agencies to report on the percentage of 
their employees with significant security responsibilities who received specialized 
training. 

DHS presented substantial improvement in this performance measure, reporting 
that it had provided specialized training to more than 90 percent of its employees 
who have significant security responsibilities. Not only was this a significant im- 
provement over the 66 percent reported in 2003, it also places DHS among the top 
ten agencies governmentwide for this performance measure. Given the rapidly 
changing threats in information security, agencies need to keep their IT security 
employees up-to-date on changes in technology. Otherwise, agencies may face in- 
creased risk of security breaches. 

Testing of Contingency Plans 

Contingency plans provide specific instructions for restoring critical systems, in- 
cluding such elements as arrangements for alternative processing facilities in case 
the usual facilities are significantly damaged or cannot be accessed due to unex- 
pected events such as temporary power failure, accidental loss of files, or a major 
disaster. It is important that these plans be clearly documented, communicated to 
potentially affected staff, and updated to reflect current operations. 

The testing of contingency plans is essential to determining whether plans will 
function as intended in an emergency situation. The frequency of plan testing will 
vary depending on the criticality of the entity’s operations. The most useful tests 
involve simulating a disaster situation to test overall service continuity. Such a test 
would include testing whether the alternative data processing site will function as 
intended and whether critical computer data and programs recovered from off-site 
storage are accessible and current. In executing the plan, managers will be able to 
identify weaknesses and make changes accordingly. Moreover, tests will assess how 
well employees have been trained to carry out their roles and responsibilities in a 
disaster situation. To show the status of implementing this requirement, 0MB re- 
quires that agencies report the number of systems that have a contingency plan and 
the number that have contingency plans that have been tested. 

DHS reported a modest increase in the percentage of contingency plans tested. 
The department stated that it had tested contingency plans for 21 percent of its sys- 
tems, an 8 percentage point increase over 2003. Moreover, analysis of the numbers 
reveals that DHS tested 82 plans, which was almost double what it tested in 2003. 
However, the majority of its systems do not have tested contingency plans. Overall, 
federal agencies reported that 57 percent of systems had contingency plans that had 
been tested. Without testing, agencies can have limited assurance that they will be 
able to recover mission-critical applications, business processes, and information in 
the event of an unexpected interruption. 

Other Challenges in Implementing Statutory Requirements 

In addition to the performance measures, there are other requirements that agen- 
cies must meet under FISMA. Agencies are required to have a complete and accu- 
rate inventory of their major systems and any interdependencies. They are also re- 


i*’ GAO, Executive Guide: Information Security Management: Learning From Leading Organi- 
zations, GAO/AIMD-98-68 (May, 1998). 
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quired to have a remediation process for correcting identified information security 
weaknesses. 

The total number of agency systems is a key element in OMB’s performance 
measures, in that agency progress is indicated by the percentage of total systems 
that meet specific information security requirements. Thus, inaccurate or incomplete 
data on the total number of agency systems affects the percentage of systems shown 
as meeting the requirements. Further, a complete inventory of major information 
systems is a key element of managing the agency’s IT resources, including the secu- 
rity of those resources. 

DHS reported that it did not have a complete and accurate inventory in either 
2003 or 2004. Without reliable information on DHS’s inventories, the Department, 
the administration, and Congress cannot be fully assured of DHS’s progress in im- 
plementing FISMA. 

FISMA requires each agency to develop a process for planning, implementing, 
evaluating, and documenting remedial actions to address any deficiencies in the in- 
formation security policies, procedures and practices of the agency. OMB’s imple- 
menting guidance refers to this process as a security plan of action and milestones. 
The chief information officer (CIO) is to manage the process for the agencies and 
program officials are required to regularly update the CIO on their progress in im- 
plementing remedial actions. This process allows both the CIO and the IG to mon- 
itor agency-wide progress, identify problems, and provide accurate reporting. In its 
annual reporting guidance, 0MB asks the agency IGs to report on the status of the 
plan of action and milestones at their agencies. IGs were asked to evaluate the proc- 
ess based on the following criteria: 

• known IT security weaknesses from all components are incorporated; 

• program officials develop, implement and manage plans for the systems they 
own and operate that have an IT security weakness; 

• program officials report to the CIO on a regular basis (at least quarterly) on 
their remediation progress; 

• CIO develops, implements and manages plans for the systems they own and 
operate that have an IT security weakness; 

• CIO centrally tracks, maintains, and reviews all plan activities on at least a 
quarterly basis; 

• The plan is the authoritative agency tool for agency and IG management to 
identify and monitor agency actions for corrected information security weak- 
nesses; 

• System-level plans are tied directly to the system budget request through the 
IT business case as required in 0MB budget guidance; 

• IG has access to the plans as requested; 

• IG findings are incorporated into the process; and 

• the process prioritizes IT security weaknesses to help significant weaknesses 
are addressed in a timely manner and receive appropriate resources. 

In its 2004 FISMA report, the DHS IG described problems with the plan of action 
and milestones process at DHS. According to the IG, seven of the nine major depart- 
ment components reviewed lacked a documented and implemented plan of action 
and milestones. Further, the IG stated that the CIO did not receive reports of reme- 
diation progress and did not ensure that components updated the status of their 
progress. Linkage of the plans to budget requests was reported as minimal at the 
component level. Seven of the nine components reviewed did not have a formal proc- 
ess to prioritize their IT security weaknesses. Finally, the IG reported that its find- 
ings were not incorporated into the plan of action and milestones at DHS. Without 
an effective, implemented remediation process, DHS cannot be assured that identi- 
fied security weaknesses are tracked and corrected. 

In summary, DHS generally showed increases in the 0MB performance measures 
for FISMA implementation in fiscal year 2004. However, it still faces challenges in 
implementing the statutory requirements. It faces significant challenges in both in- 
ventory development and the implementation of its remediation process. Accord- 
ingly, if information security is to continue to improve, agency management must 
remain committed to these efforts. The annual reports and performance measures 
will continue to be key tools for holding DHS accountable and providing a barometer 
of the overall status of its information security. 

Mr. Chairman, this concludes my statement. I would be happy to answer any 
questions from you or members of the Committee. 

Should you have any questions about this testimony, please contact me at (202) 
512-3317 or Suzanne Lightman, Assistant Director, at (202) 512-8146 or by e-mail 
at wilshuseng@gao.gov and hghtmans@gao.gov, respectively. 

Other individuals making key contributions to this testimony include Larry 
Crosland, Season Dietrich, Nancy Glover, Carol Langelier, and Stephanie Lee. 
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Mr. Rogers. Thank you very much. 

I just have a couple of questions. I would like to first start with 
you and then go with Mr. Cooper. 

And we would advise you, we may be called for votes at any 
minute. And we will try to find a good break time to do that. 

In listening to your testimony, you talked about how the grade 
that we referenced in our opening remarks may not be an accurate 
measure. What do you see as the greatest deficiency or problem 
with DHS and it’s information security right now, based on your 
review? 

Mr. WiLSHUSEN. Well, based on our review of the FISMA re- 
port — . 

Mr. Rogers. Right. 

Mr. WiLSHUSEN. — one of the key elements is, of course, having 
a complete and accurate inventory, because that is your bottom 
base-line in terms of being able to track any progress in the per- 
formance of securing those systems. If you do not know what the 
total population of your systems are, it is very difficult to assure 
that your systems are going to be adequately secure. 

Mr. Rogers. So the inadequate inventory, in your view, is the 
most glaring problem? 

Mr. WiLSHUSEN. And the incomplete inventory. That is a key 
problem. Another key problem, which is that the IG has raised in 
his testimony — actually, it was the assistant inspector general for 
information technology at DHS — last week is just the organiza- 
tional alignment of the CIO and CISO at the departmental level, 
along with their counterparts at the organizational elements. 

Mr. Rogers. Mr. Cooper, what do you see as the greatest short- 
coming in your department and what poses the greatest risk to us 
as a nation? 

Mr. Cooper. I would first confer with what Greg said. And we 
do recognize that an incomplete inventory is a challenge. The in- 
ventory represents — and what I would like to try to do in my an- 
swer is tie it into the context of the FISMA scorecard, and help 
very quickly with a little bit of how the scoring actually impacts 
the grade and may not fully represent the progress we have made. 

The inventory represents basically a negative 10 points. We re- 
ceived no score at all, and still our inventory is certified as greater 
than 95 percent complete. We currently stand somewhere between 
85 and 90 percent complete. That inventory is identified over 3,600 
significant applications. 

If we compare the quantity with the Department of Transpor- 
tation, just as an example that was used in a more recent hearing, 
the Department of Transportation has 480 significant applications. 
The complexity and the quantity were temporarily against us. 

We are on track to complete our inventory some time the early 
part of Fiscal Year 2006, at which point we will then have a full 
inventory. Our accreditation of that inventory will, in fact, move 
from about the current 70 percent probably to about 90 or 95 per- 
cent in the same timeframe, so that we will get both the actual 
work done, and the scoring will be reflected in the FISMA score- 
card. That is area number one. 

Area number two is in the certification and accreditation of all 
the applications themselves, and the systems, and the networks. 
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and all the various moving parts and pieces. We currently stand at 
about 70 percent. And 70 percent is a failing grade. 

Last time I was in school, I could not talk teachers into giving 
me anything greater than about a D-if I ended up with a 70. That 
is still true; we recognize it. And we absolutely encourage the com- 
mittee to hold us accountable to those criteria. We will achieve the 
desired accreditation and certification. However, it is again not 
going to occur until Fiscal Year 2006. 

The third area is what is labeled in the scorecard “Configuration 
Management.” Now, what that really means is, that for all of the 
operating systems and the technical platforms that we operate 
across the department, FISMA requires us to have both policy and 
guidelines for securing those types of environments and to imple- 
ment those published guidelines. 

Because of our infrastructure transformation initiative, which is 
a major initiative in the department, I, as the CIO, made a deci- 
sion — I am the one that you should hold accountable — that we 
would not actually move to execute or implement some of the con- 
figuration management guidelines for those platforms or operating 
systems that we are going to retire through the conduct of our in- 
frastructure transformation program. 

That configuration and implementation of the configuration man- 
agement, policies and guidelines represents 20 points in the scor- 
ing. If you take the inventory minus 10, the configuration manage- 
ment minus 20, we are at 70 before we have done anything else. 

Unfortunately, I am here to tell you that in Fiscal Year 2005, we 
are most likely going to receive an F again. But in 2006, as we 
complete the program, action and milestones that has now moved 
from 300 line items in 2004 — that was the FOAM, that Greg re- 
ferred to. It now contains over 3,000 line items, action items, that 
we are actually going to produce and conduct. 

But our grade in 2005, most likely, will be an F. In 2006, it will 
probably move to a B. And it will be that quick. It is going to show 
up as an F; it will be a B in 2006. 

Mr. Rogers. My time has expired. I thank the gentleman. 

And I now recognize the Ranking Member, my colleague from 
Florida, Mr. Meek, for any questions he may have. 

Mr. Meek. Thank you, Mr. Chairman. 

I guess a question for either one of you. 

Mr. Cooper, once again, I know that you are in the sunset of your 
time at the Department of Homeland Security. But I wanted to say 
how confusing a lot of this is for many of us. A lot of us are well- 
intended on both sides of the aisle. We understand this issue, be- 
cause this is where we really come together, as it relates to pro- 
tecting the homeland. 

And we ask the private sector disclosure, you know, when things 
happen, reporting. I know that is a part of the GAO report about 
reporting. And when we continue to receive, you know, an F or a 
D, who are we to criticize the private sector? 

The difference between us and the private sector is the fact the 
nine times out of ten, it is dealing with financial documents, per- 
sonal information of Americans. But when it comes down to us, it 
is dealing with, you know, the issue of protecting the homeland, 
and in some instances, some of our friends and neighbors. 
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I know that you are leaving. I know philosophy change. So I 
want you to talk a little bit about how we are going to stay on 
track and how we are going to improve ourselves, because to the 
everyday American, I mean, they do not understand half of some 
of the things that may go on up here. And I will tell you, some of 
us in the process do not understand half of what is going on up 
here. And I am serious about that, especially when it comes down 
to IT issues, that are very important issues. 

I know that you talked about integrating a number of systems 
and also pulling a department together. We are all neophytes as it 
relates to homeland security, even on this committee, because 
many of us on this committee, we served in the last select com- 
mittee and now we have a permanent committee. 

But we have departments like Department of Agriculture, which, 
you know, they do not have the same situation the Department of 
Homeland Security has had, as it relates to being created in a new 
agency. Department of Health and Human Services, these are dou- 
ble-F agencies. Department of Energy, I mean, there has not been 
overhaul of the department to where that they had to find new ac- 
countability, nor Housing and Urban Development. 

So I am trying to — and if maybe you could address a little bit 
about what we are talking — given the benefit of the doubt of a new 
department, and the fact that, you know, we can look forward to 
an F next year — not look forward to it gleefully, but you are warn- 
ing us. 

And it goes with what the Secretary shared with me yesterday 
when we were in full committee. And I asked him this question. 
He said it will be a while before we can get our cards in order, but 
we need to do it more sooner than later. 

Talk a little bit about how this thing is going to live beyond you 
personally. Who is going to be in place? What kind of attrition are 
we facing now, as it relates to the individuals that serve under you 
directly, so that, when we are here a year from now, unfortunately 
having the same subcommittee hearing? Because we are going to 
move a bill, from what I understand. There are some members — 
and I know we have a member of the subcommittee — here today. 

Just elaborate on what I have — . 

Mr. Cooper. First, sitting behind me is Robert West, who is our 
chief information security officer in the Department of Homeland 
Security. Bob is a career federal civil servant with more than 20 
years of federal experience in this specific space, in information in- 
surance and information security. Bob’s staying. He is not going 
anywhere. 

Most important, though, how are we moving this forward beyond 
the work that Bob has guided, that I have supported, that the de- 
partment has supported? The information security systems envi- 
ronment that Bob established has an information system security 
advisory board. 

There are information system security managers from every part 
of the organizational elements of the department. They are federal 
people. They maintain the continuity. 

The DHS CIO Council that I established contains the CIOs of all 
of the organizational elements. They are federal career people. 
They sustain the continuity. 
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We have put in place an automated tool called Trusted Agent 
FISMA, which now records — it is actually linked directly into our 
applications systems environment — and it records all of these 
progress, the accreditation, the work that is been done electroni- 
cally so that it becomes a management tool, so that the Secretary, 
the Deputy Secretary and all of the line managers of the depart- 
ment, not just the IT community, for the first time have visibility 
into their accreditation status, their configuring management sta- 
tus, their plan of action and milestones. This is all available elec- 
tronically. 

And there is a real-time green, yellow, red indicator, based upon 
not only the FISMA calibration but also the additional criteria that 
we have established in the department. At any point in time now — 
this is now operational. This is real. It is in place. I am not selling 
you something that we are going to do. It is done. 

This enables every key executive in the department to under- 
stand exactly where their area of responsibility is, with regard to 
information security and assurance, and they understand that it is 
a shared responsibility between the CIO community and the busi- 
ness community to continue to build upon the progress that we 
have made. 

That is one major — second is that, as we complete our inventory, 
okay, we actually are consolidating. So the environment is becom- 
ing less complex. As we consolidate, we have fewer things to ac- 
credit. We get better as we go along. 

Mr. Meek. Thank you, Mr. Cooper. I am out of time. We have 
other members here, and the bell is going to ring soon. But hope- 
fully we will have a second round. 

Thank you. 

Mr. Rogers. The gentleman’s time has expired. 

My colleague from Washington, Mr. Reichert, is recognized for 5 
minutes. 

Mr. Reichert. Well, I think it is on. 

Mr. Rogers. It is. 

Mr. Reichert. Thank you, Mr. Chairman. 

Welcome. My background is in law enforcement. And one of the 
major concerns, of course, when you talk about securing informa- 
tion is sharing information. How do you balance the two? 

Where in Seattle, in the King County northwest region — and 
maybe you have addressed this in your initial comments — we have 
been designated as one of five regions in the country as a test site 
for the LINX system. The FBI initially chose not to participate. 
Now they have come to the table and are willing to discuss. Their 
concern was protecting and securing the information, of course, 
that they gather and that they have in their files. 

We have also, in the northwest region, been selected as one of 
the four cities in the integration initiative for DHS, along with Cin- 
cinnati, Anaheim and Memphis. So there is this effort to integrate 
information and share information. And I see a conflict there in se- 
curing the information but also at the same time in working with 
local agencies and being able to share that information. 

How do you balance those two huge responsibilities? 

Mr. Cooper. What we have actually done is we have taken a 
risk-based prioritized approach. And out of this 3,600 applicants, as 
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I was saying, what we have actually done is, we have picked the 
ones that are most important to the mission of homeland security. 

For example, those that you described are part of our homeland 
security information network. That was one of the first applications 
that we ensured was accredited, certified and had its interim au- 
thorities operate. So anything that is moving information from 
within the department and within the federal environment out into 
the state and local environment, we have actually focused on those 
in the early stages. 

And all of those applications networks are accredited. They have 
all of the tools and cyhersecurity protection software that we have 
in place. We monitor those applications and the networks on a 24 
by 7 basis. The monitoring is linked into the federal search for the 
reporting of any incidence or anything that looks suspicious, even 
suspicious activity, which we can monitor and track. 

We believe that this enables the department to ensure that any 
information going to law enforcement, sensitive and unclassified, 
and our classified environment, which actually is also thoroughly 
certified, tested, proved. Our partnerships with the National Secu- 
rity Agency and the intelligence community are all absolutely 
where they need to be. 

Our business systems, on the other hand, we do not have full ac- 
credited. Just to give you a quick example and to give you a very, 
very — response. 

Mr. Reichert. Okay. Do you see the arrival of wireless as com- 
plicating your efforts in security, so that officers on the street have 
real-time information? 

Mr. Cooper. It is a challenge, but we have already begun to put 
wireless-based systems in place using, you know, personal visual 
assistants, like a BlackBerry, that type of thing, move protected, 
encrypted information out to Border Patrol agents or out to local 
law enforcement. 

We have operational projects in place that are fully protected, 
fully accredited. We will continue to do that, again, on this 
prioritized risk-based approach. 

But it does add additional challenges. One that we are struggling 
with, we actually are trying to figure out the best way to protect 
the home use of home computers connecting into, for example, e- 
mail of DHS employees. And as you know, many people have home 
wireless networks where your neighbor, if you have not properly 
encrypted it, can enter your own network without you realizing it. 

Mr. Reichert. Right. 

Mr. Cooper. So that is a challenge. 

Mr. Reichert. Well, I would just make one last comment, as far 
as wireless goes. I think, from a local perspective, and working 
with federal agencies, and making sure that we share information 
real-time, the wireless technology is critical in that effort. And I 
certainly recognize the difficult in providing security when you 
move on to that new technology. 

Thank you very much. I yield my time. 

Mr. Rogers. The gentleman yields back. 

The gentlelady from Texas, Ms. Jackson-Lee, is recognized for 
any questions she may have for 5 minutes. 

Ms. Jackson-Lee. I thank the Chairman. 
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This might be one of the more important subcommittees of the 
Department of Homeland Security and, of course, responsibilities of 
the Congress. I said something in the hearing yesterday with the 
Secretary. 

And before I make the same comment very quickly, I just want 
to acknowledge your work, Mr. Cooper, and of course, Mr. 
Wilshusen, your work, as well, and all of the employees of the De- 
partment of Homeland Security pushed together in a very trying 
time in America’s history and rising to the occasion. 

But allow me to ask you to reflect, because I made this state- 
ment, that maybe Congress may have made a mistake in its rush 
to do the right thing. And I say that, and I would appreciate your 
comment, on the largeness of a 180,000 person-department, which 
might warrant this committee or the whole committee reviewing if 
all the pieces that are there now really need to be. 

While you reflect on that, would you take note of the fact that 
the entity that EMS professionals respond to is in DOT. Fire and 
police are in DHS. And EMS, which are the very principals who 
deal with a nuclear attack, a chemical attack, with triages on the 
street, they are in DOT. 

And the last point, simply, legislation that we are supporting 
that goes really to this issue on this whole question of data security 
or security would put in place an Assistant Secretary of 
Cybersecurity. Would that be a helpful structure because of 
ChoicePoint and LexisNexis? 

But you would, Mr. Cooper, share your thoughts on the re- 
visioning, if you will, of DHS, which may add to better security? 

Mr. Cooper. Okay. Although I am a certified emergency medical 
technician and have ridden ambulances in my earlier career, I have 
to admit that I am not sure that I would be the best person to real- 
ly comment on the organization of the federal enterprise. I kind of 
have to defer to Congress, have to defer to those who have had 
many more years of experience than I in the federal environment. 

What I would offer is that I absolutely would encourage this com- 
mittee, the full committee, and Congress to hold the department 
accountable for all of the aspects of FISMA and for those chal- 
lenges around cybersecurity for the nation. That includes the role 
that the chief information officer plays, the chief information secu- 
rity officer, and our national cybersecurity division, which really is 
the component that looks externally for the department. 

I, as the CIO, have the internal responsibility for complying with 
FISMA and ensuring that all of the information technology assets 
of the department are secure, including the data aspects of that. 

I would also suggest that we are absolutely on the right track in 
the information-sharing initiative, which is federal, enterprise-wide 
initiative, as you know, under the Executive Order 13336, although 
do not hold me fully to the proper number. I will relay that back 
to the committee, if necessary. 

Under the guidance of the Office of Management and Budget, 
significant work architecturally is being done that I think will en- 
sure that, regardless of the organizational structure, the right in- 
formation, regardless of its source in whatever federal department 
exists, can, in fact, be exchanged with other parts of the federal en- 
terprise and appropriate authorities in state and local, tribal gov- 
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ernments, and the private sector that has responsibility for critical 
infrastructure. 

Ms. Jackson-Lee. Can I ask that Mr. Wilshusen, if he would 
comment on the largeness and the possible need of reviewing all 
of the elements of the DHS, which deals with security — what might 
help it contain its security issues? 

Mr. Wilshusen. I would also just like to comment on what Mr. 
Cooper just mentioned, too, and kind of expand on that, in terms 
of what the Congress’ responsibility to help provide oversight in 
holding the agency officials accountable. 

FISMA also gives specific responsibilities to the agency head. It 
is not just the CIO’s responsibility or the chief information security 
officer’s responsibility. Overall responsibility rests with the agency 
head. So certainly, keeping the agency head and other senior pro- 
gram officials, who also have specific responsibilities under FISMA, 
also need to be held accountable and made aware of their responsi- 
bility. 

Ms. Jackson-Lee. Thank you. 

Mr. Rogers. The gentlelady yields back. 

The chair now recognizes the Chairman of the full committee, 
Mr. Cox from California. 

Mr. Cox. Thank you very much. 

And I want to thank our witnesses for being here. I know that 
you both have been working on this issue for some time, Mr. Coo- 
per in particular, specifically in the Department of Homeland Secu- 
rity. 

I want to make sure I understand the evaluation that we have 
been given. Agency inspectors general were asked several questions 
to evaluate and verify whether various departments in the govern- 
ment, and specifically the Department of Homeland Security, main- 
tain and update an effective plan of action. They were asked 
whether the Department of Homeland Security maintains and up- 
dates milestones in order to remediate security weaknesses. 

So my understanding is that the responses to those questions go 
not to whether or not we have secure systems in place at DHS, but 
rather whether the process — an easier test — whether the process 
that is in place to get us there is a good one. 

And that even in response to that easier question, if it is the 
process that is designed to get us secure a good one, the answer 
came back, essentially, no. But I want to make sure that my under- 
standing is correct. 

There is a column — and, Mr. Wilshusen, I am going to direct this 
to you, because I think that this is your line of inquiry. All of the 
agencies, from AID to Veterans Affairs, are listed. DHS is one of 
those agencies. And the questions about an effective plan of action 
and milestones were put. There was a column that says, “Verified: 
Yes, No.” And the answer for the Department of Homeland Secu- 
rity is “no.” 

Does that mean that you just did not verify it or that you could 
not verify it because there was a problem? 

Mr. Wilshusen. FISMA requires each agency and their inspector 
general to report on the progress of the agency in implementing the 
provisions of FISMA. 0MB and one of its responsibilities is giving 
reporting instructions to the agencies and IGs and how — in both 
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the form and content of how to report those — to meet that report- 
ing requirement. 

0MB requires two types of information. One, they do require per- 
formance measures in reporting how agencies have implemented 
different information security requirements, for example, the per- 
centage of systems that have been certified and accredited. 

In addition, 0MB has asked the inspector generals, or inspectors 
general, to review the quality of some of the processes at those 
agencies, such as the process for certifying and accrediting their 
systems as well as the department process for developing a plan of 
action and milestones. 

In specific response to your question, “Is that verified?” is that 
the IG for that particular issue has said that they do not have a 
strong or a good process for that. 

Mr. Cox. All right, so this is not simply a matter of our not being 
able to verify the answer to the question. Rather, it goes to the lack 
of a sound process? 

Mr. WiLSHUSEN. If that is from the FISMA 2004 report, I believe 
that is correct. 

Mr. Cox. That is exactly right. That is what I am quoting. 

Mr. WiLSHUSEN. Okay. 

Mr. Cox. And that is what it means. 

Mr. Cooper, help me with why we should not be concerned about 
this? 

Mr. Cooper. Last year, you should have absolutely been con- 
cerned. So were we. I certainly am not proud of our failing grade. 
And we take it very seriously. 

And what that reflects is exactly correct. Our inspector general, 
working with us, and kind of looking over our shoulder at the work 
we have done, labeled our plan of action and milestones process to 
get us to all of the things that we want to get done as poor. And 
we agreed. 

Here is the good side of the story. Last year, we had about 300 
line items, meaning specific tasks that we needed to take. This 
year, in the ensuing time, our report this year will not only show 
that we have a very good, robust process, but we now have over 
3,000 action items identified. That is the difference between a poor 
process not well-executed and a good process properly executed. 

I am very confident that, although we still will most likely re- 
ceive an overall failing grade, which again we are not going to be 
proud of — 

Mr. Cox. But let me make sure I understand. If the grade is 
given not on whether your computers systems are secure but rath- 
er on whether you are following a process to get them there, why 
would not you get a passing grade? 

Mr. Cooper. It is both. It is both. In other words, the process 
represents actually only about 15 points of the 100 that comprise 
the total score. But we only received two points, because of our 
poor process and nothing in the plan. 

The accreditation and certification represents about 20 percent of 
the total grade. We received zero points, okay? This year, we will 
receive significantly greater points in each area. 

But the total score that also includes things like annual testing, 
configuration management, incident protection, and response and 
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reporting, when you total up all those different categories — and 
there are seven or eight major categories — we still will not aggre- 
gate enough points — A, B or higher, we believe. This is what I am 
projecting, and this is what I am telling you. 

We are on track, however, we believe, to achieve a score signifi- 
cantly higher, probably we believe a B, by the end of Fiscal Year 
2006. But the reality for the Department of Homeland Security, our 
environment is large enough, complex enough, and has so many 
different moving parts and pieces. We are moving as quickly as we 
can, but we must move with quality and with speed. 

And we just do not believe we cannot get there faster than Fiscal 
Year 2006. 

Mr. Cox. Mr. Chairman, my time has expired. I do not know if — 
I did not realize there were votes on the floor. I yield back. 

Mr. Rogers. The gentleman yields back. 

I do want to thank both of you again for your statements. And 
your answers have been very helpful. We have been called for two 
votes, so we are going to excuse both of you all and ask our second 
panel, if you could, to be patient with us. 

We are going to run over and vote, and we will be right back for 
the start of our second panel. Thank you very much. 

We are in recess, subject to the call of the chair. 

[Recess.] 

Mr. Rogers. The chair would like to call this meeting of the sub- 
committee back to order. 

And I thank our panelists for their patience, but we had to go 
vote. And I would now like to recognize Mr. Mark MacCarthy, sen- 
ior vice president for public policy at Visa USA to testify. 

Your statement? 

STATEMENTS OF MARK MacCARTHY, SENIOR VICE PRESIDENT 
FOR PUBLIC POLICY, VISA USA 

Mr. MacCarthy. Thank you, Mr. Chairman and ranking minor- 
ity member. 

My name is Mark MacCarthy. I am the senior vice president of 
public policy for Visa USA. I appreciate the opportunity to address 
the important issues raised by today’s hearings on the need to 
strengthen information security. 

The Visa payment system, of which Visa USA is a part, is the 
largest consumer payment system in the world, with more volume 
than any other payment system and, indeed, with all other pay- 
ment systems combined. We play a pivotal role in advancing new 
payment product and technologies, including technology for pro- 
tecting personal information and preventing identity theft and 
fraud. 

Visa commends the subcommittee for focusing today on this im- 
portant issue. As the leading consumer electronic payment system. 
Visa considers it a top priority to remain a leader in the develop- 
ment of services and technologies that protect information and pro- 
tect consumers from the consequences of information security 
breaches. 

We have long recognized the importance of strict internal proce- 
dures to protect the customer information that is housed within 
Visa’s databases and the databases of our members. 
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We have a strong incentive to have a good security proceedings 
in place. The Visa system provides for zero liability for cardholders 
when unauthorized transactions take place. Cardholders are not re- 
sponsible for the unauthorized use of their card. This Visa zero-li- 
ability policy guarantees the maximum protection for Visa card- 
holders against fraud. 

And because the financial institutions within the Visa system do 
not hold their cardholders responsible for that unauthorized fraud, 
Visa institutions incur costs. These costs include the direct costs of 
fraud, the credit that is not repaid, and can also be in the form of 
indirect costs attributable to the harm of consumers and to mer- 
chants generally. Accordingly, Visa protects the customer informa- 
tion of its members vigorously. 

We are currently implementing a comprehensive and aggressive 
consumer information security program. It is called a cardholder 
information security program. Its acronym is CISP. This security 
program applies to all entities, including merchants that store, 
process, transmit or hold Visa cardholder data and covers enter- 
prises that operate through brick-and-mortar operations, mail and 
telephone order operations, or through the Internet. 

CISP was developed to ensure that the customer information 
that Visa’s members have got is kept protected and secure. CISP 
includes not only data security standards but also provisions for 
monitoring compliance and sanctions for failure to comply. 

As part of CISP, Visa requires all participating entities to comply 
with our Visa “Digital Dozen,” 12 basic security requirements for 
safeguarding accounts. These include to install and maintain a 
working firewall to protect data. 

Do not use vendor supplies defaults for system passwords and se- 
curity parameters. Protect stored data. Encrypt data sent across 
public networks. Use and regularly update anti-virus software. De- 
velop and maintain secure systems and applications. 

Restrict access to data on a need-to-know basis. Assign a unique 
I.D. to each person with computer access. Restrict physical access 
to data. Track all access to network resources and data. Regularly 
test security programs and processes. And implement and maintain 
an overall security program. 

For the largest companies, for those companies that process more 
than 6 million Visa transactions per year, we require an annual on- 
site audit, validated by an independent security assessor, or in the 
alternative, an internal audit signed off by an officer of the com- 
pany. 

We also require quarterly network scans validated by a qualified, 
independent scan vendor. Visa provides lists of recommended secu- 
rity assessors, scan vendors, and software providers for the use of 
merchants and others who have the need for that service. 

Visa takes enforcement action against companies that do not im- 
plement adequate security. Visa members are subject to fines of up 
to $500,000 per incident for any merchant or service provider that 
is comprised and is not compliant with our CISP program at the 
time of the incident. 

Visa is not the only organization that has developed security 
standards. In order to avoid the potential for conflicting require- 
ments on merchants and others, in December of 2004, Visa, 
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MasterCard, American Express, Discover, and Diner’s Club collabo- 
rated to align our data security requirements for merchants and 
third parties. 

We found that the differences between these security programs 
were largely procedural, not substantive, and we had — therefore we 
were able to integrate our CISP program into a common set of data 
security requirements without diluting the substantive measures 
that were already in place for information security. 

This new common set of data security standards is called the PCI 
standard. It invokes a common framework for four fundamental as- 
pects of information security. 

First, it details technical requirements for the secure storage, 
processing and transmission of cardholder data. It contains com- 
mon security auditing procedures. It enables participants to cross- 
recognize their respective certification programs for vendors. And 
fourth, it allows for the restructuring of the program so that each 
has similar merchant and service-provider validation requirements. 

This new alignment allows merchants and service providers to 
select one vendor and implement a single process to comply with 
all of the payment card requirements. Instead of fragmenting their 
resources to satisfy separate requirements, this standard allows 
merchants and service providers to focus on achieving a common 
objective, namely the robust and continuously updated security pro- 
grams that we all want. 

In addition to the CISP program. Visa uses sophisticated neural 
networks that flag unusual spending patterns for fraud. And you 
block the authorization of transaction where fraud is suspected. 

When cardholder information is compromised. Visa notifies the 
issuing financial institution. We put the affected card numbers on 
a special monitoring status. And if Visa detects any unusual activ- 
ity in that group of cards, we again notify the issuing institutions 
who begin a process of investigation and card re-issuance. 

Mr. Chairman, I have some additional information about pro- 
grams that Visa has in place for identity theft. And I respectfully 
request that that information be made part of the record of this 
hearing. 

Mr. Rogers. Without objection, it is. 

Mr. MacCarthy. Thank you for this opportunity to testify, and 
I am prepared to answer any questions you may have. 

[The statement of Mr. MacCarthy follows:] 

Prepared Statement of Mark MacCarthy, Senior Vice President, Public 

Policy, VISA USA 

Mr. Chairman, my name is Mark MacCarthy. I am Senior Vice President for Pub- 
lic Policy for Visa U.S.A. Inc. Visa appreciates the opportunity to address the impor- 
tant issues raised by today’s hearing on the need to strengthen information security. 

The Visa Payment System, of which Visa U.S.A. is a part, is the largest consumer 
payment system, and the leading consumer e-commerce payment system, in the 
world, with more volume than all other major payment cards combined. Visa plays 
a pivotal role in advancing new pa3Tnent products and technologies, including tech- 
nology initiatives for protecting personal information and preventing identity theft 
and other fraud. 

Visa commends the Subcommittee for focusing on the important issue of informa- 
tion security. As the leading consumer electronic commerce pa3Tnent system in the 
world. Visa considers it a top priority to remain a leader in the development of tech- 
nology, products, and services that protect consumers from the effects of information 
security breaches. As a result. Visa has long recognized the importance of strict in- 
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ternal procedures to protect the customer information of Visa’s members, thereby 
protecting the integrity of the Visa system. 

Visa has substantial incentives to maintain strong security measures to protect 
customer information and the Visa system overall. The Visa system provides for 
zero liability to cardholders for unauthorized customer transactions. Cardholders 
are not responsible for unauthorized use of their cards. The Visa Zero Liability pol- 
icy guarantees meiximum protection for Visa cardholders against fraud due to infor- 
mation security breaches. Because the financial institutions that are Visa members 
do not impose the losses for fraudulent transactions on their cardholder customers, 
these institutions incur costs from fraudulent transactions. These costs are in the 
form of direct dollar losses from credit that will not be repaid, and also can be in 
the form of indirect costs attributable to the harm and inconvenience that might be 
felt by customers or merchants. Accordingly, Visa aggressively protects the customer 
information of its members. 

Visa’s Cardholder Information Security Plan 

Visa is currently implementing a comprehensive and aggressive customer infor- 
mation security program known as the Cardholder Information Security Plan 
(“CISP”). This security program applies to all entities, including merchants, that 
store, process, transmit, or hold Visa cardholder data, and covers enterprises oper- 
ating through brick-and-mortar stores, mail and telephone order centers, or the 
Internet. CISP was developed to ensure that the customer information of Visa’s 
members is kept protected and confidential. CISP includes not only data security 
standards but also provisions for monitoring compliance with CISP and sanctions 
for failure to comply. 

As a part of CISP, Visa requires all participating entities to comply with the “Visa 
Digital Dozen” — twelve basic requirements for safeguarding accounts. These include: 
(1) install and maintain a working network firewall to protect data; (2) do not use 
vendor-supplied defaults for system passwords and security parameters; (3) protect 
stored data; (4) encrypt data sent across public networks; (5) use and regularly up- 
date anti-virus software; (6) develop and maintain secure systems and applications; 
(7) restrict access to data on a “need-to-know” basis; (8) assign a unique ID to each 
person with computer access; (9) restrict physical access to data; (10) track all ac- 
cess to network resources and data; (11) regularly test security systems and proc- 
esses; and (12) implement and maintain an overall information security policy. 

Audits 

For the largest companies, those who process more than 6 million Visa trans- 
actions per year, we require an annual on-site audit validated by an independent 
security assessor, or an internal audit signed by an officer of the company. Visa also 
requires quarterly network scans validated by a qualified independent scan vendor. 
Visa provides lists of recommended security assessors, scan vendors, and software 
providers. 

Sanctions 

Visa takes enforcement action against companies that do not implement adequate 
security. Visa members are subject to fines, up to $500,000 per incident, for any 
merchant or service provider that is compromised and not CISP-compliant at the 
time of the incident. 

Payment Card Industry Data Security Standard 

Visa is not the only credit card organization that has developed security stand- 
ards. In order to avoid the potential for imposing conflicting requirements on mer- 
chants and others, in December of 2004, Visa, MasterCard, American Express, Dis- 
cover, and Diners Club collaborated to align their respective data security require- 
ments for merchants and third parties. We found that the differences between these 
security programs were more procedural than substantive. Therefore, Visa has been 
able to integrate CISP into a common set of data security requirements without di- 
luting the substantive measures for information security already developed in CISP. 
Visa supports this new, common set of data security requirements, which is known 
as the Payment Card Industry Data Security Standard (“PCI Standard”). 

The PCI Standard provides a common framework that encompasses four funda- 
mental aspects of information security: 

• Technical Foundation: The PCI Standard details technical requirements 
for the secure storage, processing, and transmission of cardholder data. 

• Testing Methodologies: The PCI Standard promotes the development of 
common security auditing procedures, scanning procedures, and provides a com- 
mon security Self-Assessment Questionnaire. 

• Vendor Certification: The PCI Standard enables participants to cross-rec- 
ognize their respective certifications for vendors. In particular, MasterCard has 
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agreed to recognize Visa-approved onsite security assessors, and Visa will recog- 
nize MasterCard security scan vendors. 

• Compliance Validation: The individual security programs maintained by 
payment card systems, such as Visa’s CISP or MasterCard’s security program, 
have been restructured within the framework of the PCI Standard so that each 
has similar merchant and service provider-levels and validation requirements. 

The new alignment of security standards under this framework allows merchants 
and service providers to select one vendor and implement a single process to comply 
with all pa3Tnent card data security programs. Instead of fragmenting their re- 
sources to satisfy separate requirements, the PCI Standard allows merchants and 
service providers to focus on achieving a common objective: robust and continuously 
upgraded security programs. 

Neural Networks to Detect Fraud and Block Potentially Unauthorized 
Transactions 

In addition to the CISP program. Visa uses sophisticated neural networks that 
flag unusual spending patterns for fraud and block the authorization of transactions 
where fraud is suspected. When cardholder information is compromised, Visa noti- 
fies the issuing financial institution and puts the affected card numbers on a special 
monitoring status. If Visa detects any unusual activity in that group of cards, we 
again notify the issuing institutions, who begin a process of investigation and card 
re-issuance. 

Mr. Chairman, Visa has additional information about its programs to prevent 
identity theft and to aid customers to recover from identity theft. I respectfully re- 
quest that information relating to these programs, and to the programs which I 
have described in my testimony, be included in the record of this hearing. 

Thank you, again, for the opportunity to present this testimony today. I would be 
happy to answer any questions. 

Mr. Rogers. Thank you, Mr. MacCarthy, for your testimony. 

The chair now recognizes Mr. Mark Zwillinger, partner at 
Sonnenschein, Nath and Rosenthal, for his opening statement. 

MR. MARC J. ZWILLINGER, ISSP NATIONAL CHAIR, INFORMA- 
TION SECURITY AND INTERNET ENFORCEMENT GROUP 

Mr. Zwillinger. Thank you. 

Chairman Rogers and Ranking Member Meek, thank you for in- 
viting me to speak with you today on the topic of strengthening in- 
formation security at DHS. As you know, I am a former computer 
crime prosecutor from the Department of Justice, and I now run 
the information security and enforcement practice at Sonnenschein, 
Nath and Rosenthal. 

In my legal practice, I help private-sector clients develop and im- 
plement information security programs and effective instant re- 
sponse plans. My clients come from a variety of industries, and 
they include major financial institutions, Internet service providers, 
satellite broadcasters, and traditional media publishers. 

In addition to my client work, I have participated in two efforts 
to help secure the nation’s critical infrastructure. First, I served on 
the National Academies’ Committee on Critical Infrastructure Pro- 
tection and the Law, and most recently, I served on the Corporate 
Information Security Working Group, which provided advice to the 
House Committee on Government Reform. 

But I sit before you today not on behalf of my clients but to use 
my information security experience from the private sector to try 
to be helpful on the topic of strengthening DHS’ information secu- 
rity programs. With that goal, I would like to share some lessons 
that I have learned from my experience in the private sector. 

First, we all understand that government computer systems are 
attractive targets for a variety of reasons, the critical nature of the 
information stored on the systems, the potential for serious disrup- 
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tion of government operations, and the continued inadequacy of se- 
curity controls at many agencies. Of course, only the last of these 
factors is completely within the government’s control, and FISMA 
was supposed to bring improvement in this area. 

As you know, FISMA requires each federal agency to provide in- 
formation security protections that are appropriate to the risk of 
harm that might result when a system is compromised. This same 
risk-based approach is found in almost all information security leg- 
islation and in all best-practices guides in the private sector. 

However, I have seen in the private sector that, no matter how 
valuable the information is that is contained on computer systems, 
a standard risk analysis is generally not sufficient to motivate true 
organizational commitment to security. Instead, such commitment 
is spurred by ancillary factors, such as the damage to the com- 
pany’s public reputation and possible financial harm that could re- 
sult from such damage. 

In fact, one of the key reasons why some in the private sector 
are predisposed against legislation requiring notice in the event of 
a security breach is that, when the risk of a security breach in- 
cludes the risk of public disclosure of that breach, the analysis vir- 
tually requires an investment in security for several reasons. 

First, the public disclosure alone would have the potential to tar- 
nish a company’s reputation, interfere with their customer relation- 
ships, and drive down their market value. Second, the public disclo- 
sure creates an increased potential for litigation, especially now, 
which threatens direct financial loss, as well as additional pub- 
licity. 

So if these types of consequences are necessary to change the 
risk calculus in the private sector, how do we change the risk cal- 
culus in the public sector? And it appears that FISMA report cards 
were designed to do just that. By making FISMA compliance public 
in a very simple-to-understand way, the goal was to use the nega- 
tive stigma of receiving an F grade to bring about more positive re- 
sults. 

However, without the marketplace effect, the risk of getting an 
F in the public sector is not nearly as threatening, and not, there- 
fore, as motivational as a similar failure in the private sector, even 
though the consequence of a compromise at DHS could be a lot 
worse. 

One fix would be to seek to incentivize behavior in the same way 
as in the private sector. This might translate into responding to 
poor information security performance with stronger oversight or 
more exacting audits. It may also include tying security perform- 
ance to the private sector equivalent of profit, mainly funding. 

A second lesson is that many of the security breaches I have seen 
recently have involved comprises of data given to third parties 
without a clear allocation of responsibility for security and for noti- 
fication. On the whole, both the public and private sectors tend to 
worry far less about their data when it is given to others to man- 
age, when the exact opposite should be true. 

Third, the importance of a proper incident-response program can- 
not be overstated. No set of policies, procedures, or practices can 
achieve a goal of making an agency completely secure. But my ex- 
perience with the private sector suggests that organizations that 
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aspire to have a robust incident-response program not only discover 
and address event before they become serious, but by following 
their plan and fixing the detected vulnerabilities, they can signifi- 
cantly improve their overall security posture. 

DHS’ performance on the FISMA categories of tested contingency 
plans and effective security and privacy controls suggest that either 
the department’s incident-response plan is lacking or its execution 
requires some improvement. 

Finally, Mr. Chairman, having read the testimony of DHS offi- 
cials and listening to Mr. Cooper today, I think you would be hard 
pressed to find many security experts who would say that DHS is 
saying the wrong thing. 

Instituting a strategic plan, working to institute DHS policies 
throughout all of its organizational components, completing its in- 
ventory, and collecting and verifying metrics are steps in the right 
direction. Nevertheless, creating a true culture of security certainly 
remains an evolving challenge at DHS. 

My clients, who have been most successful in creating a culture 
of security, are easy to distinguish from those who have not. While 
most organizations have talented people attending to information 
security, the priorities have to be set from the top down and car- 
ried throughout the organization. 

For example, one of my clients, in addition to all of the informa- 
tion security policies and procedures they have, they bring in all 
of their product engineers from around the world for an annual 
multi-day conference on security issues, despite the time spent 
away from revenue-producing work. 

In my view, this conference is but one example of how that com- 
pany gets it. For them, information security is not all about return 
on investment or liability prevention. It is an essential part of their 
product development lifecycle and their culture. 

For the sake of the country, I would hope that the same could 
be said about DHS in the very near future. 

Mr. Chairman, thank you for your leadership in convening this 
important hearing. I hope I can provide further help by answering 
your questions now or in the future. 

[The statement of Mr. Zwillinger follows:] 

Prepared Statement of Marj J. Zwillinger, Partner, Sonnenschein Nath & 

Rosenthal LLP 

Chairman Rogers, Ranking Member Meek, and Members of the Subcommittee, 
thank you for the opportunity to address the Subcommittee on the important topic 
of Strengthening Information Security at the Department of Homeland Security 

Background 

I have been a lawyer in the field of Information Security since 1997 when I was 
a Trial Attorney at the United States Department of Justice Computer Crime and 
Intellectual Property Section. 

Since 2000, I have been leading an Information Security Legal practice at a na- 
tional law firm. In my daily practice at Sonnenschein Nath & Rosenthal, I help pri- 
vate sector companies develop and maintain effective information security programs 
and incident response plans. While this may not be traditional legal work, I am not 
a traditional lawyer, as I am also a Certified Information Systems Security Profes- 
sional and have training in computer forensics and network investigations. 

In addition to my work with private companies, I have been part of two efforts 
to provide ideas to help secure the nation’s critical infrastructure. First, I served as 
a member of the National Academies’ Committee on Critical Information Infrastruc- 
ture Protection and the Law. Second, I had the privilege of being invited to partici- 
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pate as the sole independent lawyer on the Corporate Information Security Working 
Group, which advised the House Committee on Government Reform, Subcommittee 
on Technology, Information Policy, Intergovernmental Relations and the Census. As 
with my testimony here today, my participation in both of those efforts was not on 
behalf of any client, but was an attempt to use my experience of representing clients 
in the information security space to help our country better protect its information 
assets. 

Ironically enough, both of those prior efforts were geared towards finding better 
ways to motivate the private sector to protect the portions of the critical infrastruc- 
ture under its control. However, now that a spate of industry-specific regulation and 
high-profile breaches of consumer information seem to be motivating the private sec- 
tor to action, and given the Sarbanes-Oxley environment in which spending money 
on internal controls is becoming commonplace, it may be the public sector that could 
most benefit from additional attention. 

About the Threats to Government Systems 

When I was a computer crime prosecutor, it was conventional wisdom among 
hackers that government agencies and educational institutions were the low-hang- 
ing fruit of the computer world. These entities presented attractive targets because 
of the bandwidth and power of the computer systems available, and because the se- 
curity at both types of institutions was ineffective. 

when the focus of computer crime shifted away from the availability of computer 
resources to the market value of information stored on computer systems, the pri- 
vate sector became an interesting, and potentially lucrative, target. 

But while that shift may have diminished the interest in hacking university sys- 
tems (except as we have recently learned for the purpose of identity theft), govern- 
ment systems remain an attractive target for several reasons: 

(1) the power and bandwidth of these computer systems; 

(2) the critical nature of the information stored on such systems; 

(3) the potential for significant disruption of critical government activities; and 

(4) the inadequacy of security controls at many government agencies. 

Of these factors, only the fourth is completely within the government’s control. 
And the Federal Information Security Management Act (FISMA) was designed to 
change the way government agencies addressed this fourth factor. FISMA requires 
the head of each federal agency to provide information security protections that are 
commensurate with the risk and magnitude of harm that might result from unau- 
thorized access, use, disclosure, modification or destruction of the information con- 
tained on such systems. 

Changing the Risk Calculation 

The same risk-based approach is contained in almost all information security leg- 
islation, regulations, and best practice guides that are used by the private sector, 
and always includes an assessment of the value of the information stored on the 
computer systems. What I have seen when counseling my private sector clients on 
information security issues, however, is that the motivation to improve information 
security relates not just to the value of the information at issue, but to several ancil- 
lary factors. In fact, private sector information may be less sensitive and present 
a lower risk of harm to the nation’s security if compromised, but it is at times better 
protected than DHS information. 

The risk that is evaluated and, with increasing frequency, acted upon by private 
corporations is the damage to the corporation’s public reputation and the financial 
harm that may result. In fact, one of the key reasons that the private sector is 
sometimes predisposed against security breach notification legislation, such as the 
bills already introduced in the 109th Congress, is that when the risk of compromise 
of a system becomes the risk of public disclosure of that compromise, the con- 
sequences virtually demand a significant investment in security by every right- 
minded CEO or CIO of a public company for several reasons. 

First, the public disclosure itself has the potential to drive down market value of 
a corporation. Second, disclosure of such breaches, irrespective of resulting harm, 
tarnishes the corporation’s reputation and interferes with customer relationships. 
Third, the public disclosure of breaches also creates an increased potential of litiga- 
tion, threatening direct monetary loss as well as additional adverse publicity and 
lower market value. 

As a result, these potential consequences are powerful enough to drive a corpora- 
tion to invest in security even where the information stored is not as valuable as 
DHS data, because any breach directly threatens corporate financial results. 

Lessons Learned 

First, as I have described, risk assessments that focus solely on the value of the 
information to be protected have often been unsuccessful on their own in motivating 
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good information security behavior. Accordingly, external forces caused a change in 
the risk calculus. But how do you change the risk calculus for the public sector? 

FISMA report cards were designed to accomplish that objective. By identifying the 
agencies that were not meeting FISMA standards in a more public way than the 
detailed descriptions contained in the 0MB reports, the associated stigma was in- 
tended to raise the profile of non-compliance, thereby creating incentive for action. 
However, absent a market value determination, the risk associated with receiving 
a failing grade is not nearly as catastrophic, nor as motivational, as it is in the pri- 
vate sector, even though the consequences of a compromise of DHS information may 
be greater. 

Accordingly, FISMA compliance, and public sector information security in general, 
could be bolstered by offering incentives based on what we have seen work in the 
private sector. This includes responding to poor information security performance 
with stronger oversight or more exacting audits, and rewarding good security prac- 
tices with positive incentives. It may also include tying security performance to the 
private sector equivalent of profit, namely funding. While it may seem offensive to 
suggest that the threat of a loss of our nation’s most sensitive and critical informa- 
tion is alone an insufficient incentive to improve information security, DHS’s FISMA 
performance to date suggests that additional action may be warranted. 

The second lesson is that many, if not most, of the breaches to which I have re- 
sponded in the past four years have included compromises of data that was placed 
in the hands of third parties without a clear allocation of responsibility for security 
issues, or procedures for notification and response in the event of a breach. Given 
that of all the issues identified in OMB’s 2004 FISMA report, DHS fared the best 
on “using appropriate methods to ensure that contractor-provided services are ade- 
quately secure,” perhaps the private sector has something to learn from the govern- 
ment in this regard. On the whole, however, both sectors tend to worry less about 
data maintained by others, when the exact opposite should be true. 

Third, as noted in the National Institute of Standards and Technology (NIST) In- 
cident Handling Guidelines, “an incident response capability is necessary for rapidly 
detecting incidents, minimizing loss and destruction, mitigating the weaknesses that 
were exploited, and restoring computer services.” In my experience with the private 
sector, organizations that have a robust incident response program not only catch 
incidents before they become serious, but in executing the incident response plan 
and remediating the vulnerabilities that are detected as a result of the plan, achieve 
a much improved security posture. DHS’ poor performance on the FISMA categories 
of “tested contingency plans,” and “effective security and privacy controls,” suggests 
that either the Department’s incident response plan is lacking, or its execution re- 
quires improvement. 

Finally, Mr. Chairman, your Subcommittee would be hard-pressed to find too 
many security experts wbo would say that DHS is saying the wrong things. That 
is, instituting an Information Security Program Strategic Plan, working to institute 
DHS-wide policies within the organizational components, and collecting and 
verifying performance metrics are positive steps in the right direction. Nevertheless, 
the objective must be to create a culture of security within every organization, which 
clearly remains an evolving challenge in these early days of DHS. 

My clients who have been successful at creating a culture of security can be easily 
distinguished from those that have not. For example, one of my clients flies in all 
of its product engineers, located domestically or internationally, for an annual multi- 
day conference on security issues, despite the time spent away from revenue-pro- 
ducing activities. In my view, that company clearly “gets it.” Information security 
is not all about return on investment or liability prevention, rather, it is an essen- 
tial component of their product development lifecycle and their culture. For the sake 
of the country, I would hope the same could be said about DHS in the very near 
future. 

Mr. Chairman, again, thank you for your leadership in convening this important 
hearing and I stand ready to be of further assistance through answering your ques- 
tions now or in the days ahead. 

Mr. Rogers. Thank you, Mr. Zwillinger, Zwillinger. What is the 
correct pronunciation? 

Mr. Zwillinger. Zwillinger. 

Mr. Rogers. Zwillinger, for your testimony. 

I now have a couple of questions. And I would like to start with 
you. 
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You were here for the first panel’s testimony. And when you 
think about your clients that you deal with, what is the suggestion 
that you would offer this committee as a change that we could 
focus our attention on to remedy the problems that we are seeing 
reflected in this F grade? 

Mr. ZwiLLiNGER. Well, based on my experience with clients, I 
find that the organizations in companies that are able to really 
carry security throughout their organization have a very top-down 
approach. That is, the CIO or the chief information security officer 
is empowered throughout the organization to make sure that the 
organization is complying with security practices and carrying 
through with its mission. 

And I have not studied DHS long enough to know how deep a 
problem this is within the organization. I do note that when Frank 
Deffer testified before the House Committee on Government Re- 
form, he pointed to a lack of formal reporting structure between 
the CIO and its organizational components. I do not know if that 
is the case or not at DHS, but I know that generally in the private 
sector that is an important feature, if the CIO can control the poli- 
cies from the top down. 

Mr. Rogers. You heard reference earlier about the problems 
with inventory that are described as kind of the biggest challenge 
that DHS faces. Do you see a similar problem with getting your 
arms around inventory and applications on the inventory in the 
private-sector clients that you have, as was presented earlier by 
the DHS testimony? 

Mr. ZwiLLiNGER. Certainly, the clients I work with do conduct an 
inventory at the very beginning of a risk assessment, determining 
their assets and defining which assets are most critical. So I do see 
that that is a hurdle that most of my clients have to overcome. 

I cannot really comment on the length of time that it is taken 
DHS to conduct that inventory, but I do know that conducting in- 
ventory is an important first step and should be completed at the 
first stages of the security program. 

Mr. Rogers. Thank you. 

I would like to ask Mr. MacCarthy, what kind of management or- 
ganizational structure and line of authority does Visa have in place 
to address information security issues? 

Mr. MacCarthy. We have a chief information officer who has 
full authority within Visa to make the decisions that he needs to 
make in order to ensure that the Visa system itself is safe and se- 
cure. 

Our program for spreading good security to the institutions out- 
side Visa is under our risk control operation. And they work closely 
with the member banks within the Visa system, who in turn work 
closely with the merchants. Visa has every incentive to do the right 
thing with respect to information security. 

One of the things that — Mark’s comments on the contrast be- 
tween the private sector and the public sector deserves some em- 
phasis. Why do we take these steps for information security within 
the Visa system and with respect to merchants? And the answer 
is, because fraud losses within our system fall on our members. 
And anything we can do to prevent the information security 
breaches means we minimize those fraud losses. 
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We spend $300 million a year on information security and fraud 
control. And those kind of investments pay off. Our fraud rate is 
now down at the level of 5 cents for every $100, and it continues 
to go down year after year because of those investments. 

So I think one of the big contrasts between the public sector and 
the private sector here is the incentives that different companies 
have for practicing good information security. 

Mr. Rogers. Well, you make a good point in referring to the liti- 
gation, the exposure that you would have. But in response to that, 
I would say, do you have a formal reporting process in place for 
capturing known security weaknesses? 

Mr. MacCarthy. Absolutely. Within the Visa system itself, it is 
internal. And you know, we have regular audits of our own systems 
and any — 

Mr. Rogers. But is this written policy? 

Mr. MacCarthy. Yes, this is. Any deficiencies we catch, you 
know, we step in and correct right away. Within the Visa system 
itself, any breaches on the part of our financial institutions who are 
part of the Visa system, or on merchants, or processors who have 
cardholder information, they are required by contract to report 
those breaches to use immediately. And they are fined some other 
penalties that result for them not reporting those kind of breaches 
to us instantaneously. 

Mr. Rogers. Do you have outside audits of your security system? 

Mr. MacCarthy. Oh, yes, sir. Oh, yes. 

Mr. Rogers. Conducted by who? 

Mr. MacCarthy. I will get you the answer on that. There is an 
outsider auditor that we use for that purpose. 

Mr. Rogers. Great. Thank you both. 

The Chairman now yields to the Ranking Member, Mr. Meek. 

Mr. Meek. Thank you very much, Mr. Chairman. 

Gentlemen, I want to thank you for your testimony. As you can 
tell, there are a number of members of the Congress that are very 
concerned about how we are exposed, I feel, to not — I mean, to neg- 
ative forces that are out there, especially as it relates to homeland 
security. 

And I was — ^both of you, I was taking a look at your testimony 
here. And from what I heard, both of you are driven in the private 
sector. And I am pretty sure that you have taken a look at the 
GAO report. And to see the position, not only the Department of 
Homeland Security is in now, and you heard earlier testimony to 
the fact that it will be Groundhog Day next year, this time, if 
things are left up to the mechanics of the department and others. 

Looking at the position that the department is in, along with 
four or five other agencies of the federal government, and the fed- 
eral government overall receiving a D-plus by our own eyes and 
ears, and looking at the tools that were used, where auditor gen- 
erals basically ask questions to work with the IT officials within 
those departments. Pretty much, you are given a test, but you also 
have the opportunity to use whatever materials that you may find 
to answer the question. 

If there was a private sector company, let us just say, Mr. Z — 

[Laughter.] 
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I was dying to say that. I know people — do people call you Mr. 
Z? 

Mr. ZwiLLiNGER. All the time. 

Mr. Meek. I know. It is just so cool. 

If there is a private-sector company in the position of the Depart- 
ment of Homeland Security, how long will it take that company to 
bring itself up to some sort of reasonable level that what we would 
find with using our measuring stick to bring it to a C or a B. 

How long would that take? Will that take an experience of 3 or 
4 years to improve its footprint, or will it take the time that we 
are being told that it would take for the department to bring itself 
up to standard? 

Mr. ZwiLLiNGER. It is a very difficult question for me to answer, 
one, because my clients are not generally of the size and scope of 
DHS, nor have they dealt with the integration of the equivalent of 
42 subsidiaries, or what number of subsidiaries in a very short pe- 
riod of time. 

That being said, I have seen considerable progress in all of the 
clients that I have worked with in the security space from the time 
that I left DOJ and started practicing information security in 2000, 
you know, within a couple of years, if they have decided to invest 
significantly in security. 

So I understand the problems with DHS must be daunting. And 
I do not know that there is a real private sector analog that I can 
really draw upon to answer your question. 

Mr. MacCarthy. If I could comment, I think it is important not 
to overstate the extent to which the private sector is automatically 
doing the right thing in the area of information security. I think 
largely the incentives are aligned right, but it is important to re- 
member that, that for many companies, information security is a 
cost. 

You have got to invest in the technology. You have got to invest 
in the time and training of your personnel. There is some loss of 
functionality in some cases. 

And you are protecting yourself against relatively rare events. 
And when the bad things do occur, there is a breach, you know, 
the costs are sometimes distributed. They do not fall just on the 
company involved, but they fall on other parties. So there is a kind 
of externality in that, where the market forces do not always auto- 
matically align to create, you know, perfect incentives to invest in 
information security. 

That is one reason why Visa stepped in with this CISP program, 
because we wanted to make sure that, when the fraud losses fall 
on our member financial institutions, but the security investments 
has to made by merchants and others who house the data, that 
there was some sort of private-sector mechanism involved that 
could try to internalize that market externality. 

We are aware that there are no rules and regulations under fed- 
eral law or state law that require information security for mer- 
chants. And so we stepped into the breach to see what we could 
do to try to correct that particular difficulty. 

Mr. Meek. I guess, you know, gentlemen, where my concern 
comes in — as you know, the private sector — and you talk about re- 
porting a little earlier as it relates to embarrassing for that pri- 
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vate-sector company. We know that computers are hacked every- 
day. Some people are held up online literally for a price. And it 
goes unreported. 

It is not public knowledge, you know, the top-secret information 
and posture, and how our IT is so vulnerable in the federal level 
is not — I mean, it is common knowledge. We have things that you 
call exercises related to TOPOFF programs, intelligence informa- 
tion that is shared, not only with state and local government, but 
also with federal agencies within. 

Some may argue that there is a higher level of security as it re- 
lates to our information technology, the higher security level may 
go, but there are people who live to get that kind of information 
as it relates to national security. 

And you are right that this is the largest agency in the history 
of the world, I mean, as we live in it. But at the same time it is 
important as one of the most — the most able country, in my opin- 
ion, for us to be able to move forth. We have to. I mean, the Chair- 
man, myself, the Ranking Member and the overall chair, we are 
going to be held ultimately responsible for being the Oversight 
Committee if we do not apply the pressure where it is needed. 

I was glad to see that the outgoing director of information tech- 
nology to say, “Keep the pressure on us.” But how hard do you 
punch? I mean, do you punch with an answer or do you just punch 
for the sake of punching because someone has said that we are not 
where we need to be and the federal statutes call for greater? 

So anything that you gentlemen — there is only two of us here — 
so if there is anything you gentlemen can share with us that, if you 
were in the position that we are in right now, how could we im- 
prove? 

That was a question in the last panel, how can we help the de- 
partment move faster? Congressman Sheila Jackson-Lee asked the 
question, “Did we do something that we should not have done with- 
in the federal act?” And there was legislation filed last session 
dealing with this subject, and there is legislation, I understand, 
that will be filed next week dealing with subject, too. 

So could you answer along those lines of what you see, as profes- 
sionals in the area in question? 

Mr. ZwiLLiNGER. Sure. I have two points I think I can try to be 
helpful with. 

The first is that, when we started to try to protect the private- 
sector information security infrastructure, we started with indus- 
try-specific, you know, statutes. We started with Gramm-Leach- 
Bliley, and we started with HIPAA. And we said financial informa- 
tion is more important. Let us protect that. Health information is 
more important. Let us protect that. 

And then now, and only in 2004, have we had statutes of general 
applicability trying to get the rest of the country’s information se- 
curity up to a certain standard. 

It seems to me that there is no reason to treat all of the govern- 
ment’s agencies the same. That is, when FISMA was passed, it sep- 
arately treated national security systems as coming under sort of 
separate rules. 

I do not know — even if you are not a national security system, 
I still think there is a basis to distinguish between systems that 
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are so critical to our nation’s infrastructure and systems from other 
agencies that would score lower on the risk scale. And so more 
time, energy and resources could be devoted to dividing up sys- 
tems, because it seemed to work in the private sector, to start with 
financial systems and then move on. 

The second point — and I think some of my clients would not like 
me to sort of admit this honestly, but it is true — is that the public 
disclosure requirement has really forced companies to spend more 
money on security than they might have planned, absent that re- 
quirement. 

That is, they said, “The thing we really do not want to have hap- 
pen is to have to make a public disclosure of this breach, so then 
we come vulnerable in the news, our trade value goes down, and 
the people who might want to sue us get wind of it.” If we could 
figure out who at DHS, who DHS least wants to disclose security 
breaches to and force them to do it in the same way the private 
sector has done it, I would think you would have some of the same 
incentives of compliance that we see outside. 

Mr. Meek. But know what the unfortunate thing about that? 
That happens after the fact. I mean, there is some commission, like 
the 9/11 Commission, that is appointed and then folks start to 
come forward. “Well, we knew this, but, you know, how do we say 
it?” 

And it is different, I think, for the private sector as it relates to 
national security. Of course, there is some information of it was 
stolen that could be very sensitive and could be detrimental to 
the — you know, could be seen as a security risk for the general 
public to know. But there has to be some bar. 

And I am looking within FISMA to see if such a requirement 
can, I mean, exist. Because I am pretty sure it is happened, just 
like it is happened in the private sector. And the more the public 
knows, the posture that we are in, hopefully, the faster that we can 
move. 

And I do not know if we can legislate that. That is what I am 
trying to get down to. There has to be a will. 

But I do not think folks are sitting around the department say- 
ing, “Well, you know, this F means nothing to us, you know? And 
the public scrutiny within the IT world means nothing to us.” 

Because I know professionally in the private sector — Mr. Chair- 
man, if I can — I know that professionally in the private sector that 
there are associations and groups that work together constantly in 
concert to make sure that the industry is secured. 

I do not know exactly if that is something that formally exists 
within the public sector. Maybe amongst local governments — I 
mean, a conference or something. But helping one another to be 
able to move the ball — because it is an ever-changing issue as it 
relates to securing information, from what I have read. 

Last Congress, I served on the Subcommittee on Cybersecurity, 
and I started reading some of the publications that were published 
on it. And it is ever-changing. As you soon as you find the right 
combination to stop hackers from getting into the system or infil- 
trating the system, they find a new way to get in. 

Mr. MacCarthy. If I could jump in there for — I think you are 
right about the notification and other after-the-fact incentives not 
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being perfect, because they rely on feedback loops. And you know, 
after the fact, it may be too late. 

So I think you need stuff up front. And that is why, when we put 
in place our program, it was designed to provide good security re- 
quirements at the beginning to see if we could make sure that the 
notification never had to be given because the security was there 
to begin with. 

I have two points. One is, one of the reasons our Visa CISP pro- 
gram is effective is that it is specific. You know, we are not trying 
to solve all security problems at once. We are focused on one, you 
know, relatively narrow problem. 

It has got a lot of aspects to it, but it is — how do you protect 
cardholder information? I think to that — if this is a recommenda- 
tion to the rest of the world, it is find specific security problems 
and focus on what you think might be important to solve and solve 
those. 

In our experience, you know, two things seem to jump out as 
being effective. One, we found the role of independent audits to be 
very, very important. It focuses the attention of people who have 
to do good security on finding out that there are problems and then 
enabling them to take remedial steps right away. 

The other is, to the extent that we discovered problems with the 
payment application software where there was security flaws, we 
worked with outside assessors, discovered those flaws, worked with 
the vendors. We now have a program of approved, validated pay- 
ment application software that merchants and other processors can 
use, which are free of the defects that we found in earlier versions 
of that kind of software. 

So some sort of validation program for software that is used 
seemed to be a very, very good program, from our point of view. 
And we think it is the kind of thing that, if you are looking for les- 
sons learned, it is one of the lessons that we learned. 

Mr. Rogers. Thank you, gentlemen, both for your testimony and 
your answers, and, Mr. Meek, for your questions. 

There may be some additional questions that Members have. It 
is Thursday afternoon, and votes have completed, so they are on 
airplanes heading home right now. But they may have some addi- 
tional questions that they will submit to you. I would ask you if 
you could respond to those in writing, if they do submit them. We 
are going to leave the record open for 10 days. 

For that, I thank you again for your testimony. 

And this committee meeting is adjourned. 

[Whereupon, at 4:16 p.m., the subcommittee was adjourned.] 
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